Microsoft Uncovers Windows Clipper Malware Campaign with USB Worm and Tor-Based Command & Control
- Jun 18
- 3 min read
Key Findings
Windows-based clipper malware campaign active since February 2026 targets cryptocurrency wallets through USB-distributed LNK shortcut files
Malware uses bundled Tor client with SOCKS5 proxy to communicate with hidden-service C2 servers, avoiding traditional IP-based infrastructure detection
Attack chain involves worm component that replicates across USB drives by masking itself as legitimate documents like DOC, XLSX, and PDF files
Clipper steals BIP39 seed phrases, private keys, and wallet addresses while replacing copied cryptocurrency addresses with attacker-controlled alternatives
Malware captures screenshots every ten seconds and includes remote code execution capability through EVAL commands from C2
All components use encryption, PyArmor obfuscation, and PyInstaller packaging with Task Manager detection evasion
Microsoft Defender flags threat as Trojan:Win32/CryptoBandits.A
Background
Clipper malware represents a category of financial malware designed to silently monitor user clipboard activity and intercept sensitive data. Unlike traditional credential stealers, clippers specifically target cryptocurrency transactions by intercepting wallet addresses that users copy and paste. This campaign distinguishes itself through sophisticated distribution methods and advanced evasion techniques that combine data theft with backdoor functionality.
Infection Vector and Worm Propagation
The attack begins when users insert an infected USB drive containing malicious LNK shortcut files. Upon opening a shortcut, the worm component executes and scans the machine to check if infection already exists. If the system is clean, it retrieves the full payload from remote servers. The worm then searches the USB drive for common document files like DOC, XLSX, and PDF, hides the originals, and replaces them with malicious shortcuts bearing identical names and icons. When unsuspecting users attempt to open what appears to be a legitimate document, they trigger malware execution instead.
The worm's propagation mechanism relies on scheduled tasks for persistence. Each time a new USB drive connects to the infected system, the worm automatically copies itself and establishes similar camouflaged shortcuts on the new device, creating a self-replicating infection chain.
Clipboard Hijacking and Cryptocurrency Theft
The clipper component monitors the clipboard approximately every 500 milliseconds, searching for blockchain address patterns across Bitcoin, Ethereum, Tron, and Monero networks. Upon detecting a wallet address, it replaces the legitimate address with an attacker-controlled alternative that partially resembles the original to avoid detection during cursory inspection.
Beyond address substitution, the malware specifically targets BIP39 seed phrases, which are the master keys used to generate cryptocurrency wallets. It detects 12 or 24-word seed phrases, saves them locally as backups, and exfiltrates them through Tor to the C2 server with retry logic until acknowledged. The malware also captures Ethereum and Bitcoin Wallet Import Format private keys, compiling multiple attack vectors for cryptocurrency theft.
Tor-Based Command and Control
Rather than relying on traditional IP-based infrastructure, this campaign deploys a portable Tor binary renamed to avoid detection. The malware generates a unique victim identifier, registers it with the external server, and continuously polls hidden-service C2 domains through a local SOCKS5 proxy on port 9050. This architecture eliminates the need for exposed internet-facing servers and complicates network-based detection.
The C2 infrastructure supports dynamic tasking through EVAL responses, allowing attackers to execute JavaScript payloads at runtime. This transforms the campaign from a pure financial stealer into a versatile backdoor capable of deploying additional malicious code.
Surveillance and Exfiltration
The malware captures five screenshots every ten seconds and transmits them through Tor, providing attackers with visual intelligence of victim cryptocurrency wallet interactions and broader system activity. This surveillance capability enables attackers to monitor transaction amounts, wallet balances, and user behavior patterns before deciding whether to execute wallet address substitution.
All stolen data including seed phrases, private keys, screenshots, and clipboard contents are exfiltrated through Tor channels, obscuring the attacker's infrastructure location and complicating law enforcement attribution.
Evasion Techniques
The malware employs multiple obfuscation layers including PyArmor-protected Python code wrapped in PyInstaller packaging. All malicious components remain encrypted at runtime and only decrypt during execution. The malware includes Task Manager detection that causes immediate exit if the process is detected, preventing analysis by users attempting to monitor system activity.
Additionally, the malware uses WScript and ActiveXObject to interact with the operating system through scripting interfaces that may bypass certain security filters designed for traditional executable detection.
Detection and Mitigation Recommendations
Microsoft recommends prioritizing behavioral-based detection over static signatures. Security teams should monitor for PowerShell-based screen capture operations, WScript or CScript processes launching suspicious child processes, and localhost proxy usage on port 9050.
Specific protective measures include disabling AutoRun and AutoPlay for all removable media, blocking LNK file execution from USB drives through Group Policy Objects, restricting unnecessary use of wscript.exe and cscript.exe, and conducting behavioral analysis on devices involved in sensitive financial operations. Organizations should actively monitor clipboard-related and screen-capture activities in environments handling cryptocurrency or other sensitive financial data.
Sources
https://thehackernews.com/2026/06/microsoft-details-windows-clipper.html
https://securityaffairs.com/193860/uncategorized/tor-based-clipper-malware-targets-wallet-seed-phrases.html
https://thewincentral.com/microsoft-crypto-clipper-malware-tor-worm-backdoor

Comments